GCP Authentication Support
· 2 min read
Atmos now supports first-class Google Cloud authentication alongside AWS and Azure, with provider-scoped file isolation and a unified auth experience.
What Changed
- Added GCP providers:
gcp/adcandgcp/workload-identity-federation. - Added GCP identities:
gcp/service-accountandgcp/project. - Implemented provider-scoped file isolation at
~/.config/atmos/gcp/<provider-name>/.... - Integrated GCP auth with
atmos auth login,atmos auth whoami, and Terraform execution.
Why This Matters
- Use the same auth flow across AWS, Azure, and GCP.
- Avoid long-lived keys in CI/CD with Workload Identity Federation.
- Keep credentials isolated per provider and identity, without touching user
gcloudconfig.
How to Use It
For local development with ADC:
auth:
providers:
gcp-adc:
kind: gcp/adc
project_id: my-project
identities:
terraform:
kind: gcp/service-account
default: true
via:
provider: gcp-adc
principal:
service_account_email: terraform@my-project.iam.gserviceaccount.com
For GitHub Actions with Workload Identity Federation — no token_source needed, everything is auto-detected:
auth:
providers:
gcp-wif:
kind: gcp/workload-identity-federation
project_number: "123456789012"
workload_identity_pool_id: github-pool
workload_identity_provider_id: github-provider
service_account_email: ci-sa@my-project.iam.gserviceaccount.com
In GitHub Actions, Atmos automatically detects ACTIONS_ID_TOKEN_REQUEST_URL, constructs the correct WIF audience, and fetches the OIDC token — no manual token_source, url, or audience configuration required. Just ensure your workflow has id-token: write permission.
Authenticate and verify:
atmos auth login --identity terraform
atmos auth whoami
Get Involved
Feedback and testing reports are welcome. If you use GCP in CI/CD, try the WIF provider and share any edge cases you encounter.
